[PR #1962] [CLOSED] fix DTVCC: Structural type confusion / OOB writes #2761

New Issue

Open

opened 2026-01-29 17:23:47 +00:00 by claunia · 0 comments

claunia commented 2026-01-29 17:23:47 +00:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/1962
Author: @THE-Amrit-mahto-05
Created: 1/2/2026
Status: ❌ Closed

Base: master ← Head: fix/dtvcc-structural-oob

---

📝 Commits (2)

• 5dc8292 Fix out-of-bounds read in H.264 SEI parsing
• 82109e6 Fix DTVCC structural type confusion and OOB writes (#1961)

📊 Changes

2 files changed (+46 additions, -2 deletions)

View changed files

📝 src/lib_ccx/avc_functions.c (+8 -2)
📝 src/lib_ccx/ccx_decoders_708.c (+38 -0)

📄 Description

In raising this pull request, I confirm the following (please check boxes):

• I have read and understood the contributors guide.
• I have checked that another pull request for this purpose does not exist.
• I have considered, and confirmed that this submission will be valuable to others.
• I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
• I give this submission freely, and claim no ownership to its content.
• I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

• I have never used CCExtractor.
• I have used CCExtractor just a couple of times.
• I absolutely love CCExtractor, but have not contributed previously.
• I am an active contributor to CCExtractor.

---

Title: [FIX] DTVCC: Structural type confusion / OOB writes (#1961)

Description:
This PR addresses a critical structural type confusion and out-of-bounds (OOB) write in the DTVCC (CEA-708) decoder.

Issue: #1961

Problem:
Malformed or malicious CEA-708 streams could define windows with row/column counts exceeding the maximums. This could lead to:

• Heap buffer over-reads
• Reading struct members as pointers (information leak)
• Overwriting TV screen metadata
• Undefined behavior during caption extraction

Fix implemented:

• Added bounds checks for row_count and col_count in dtvcc_handle_DFx_DefineWindow.
• Added safety checks for pen_row and pen_column in dtvcc_process_character and dtvcc_handle_SPL_SetPenLocation.
• Added invariant check in dtvcc_window_copy_to_screen to reject windows exceeding maximum dimensions.
• Logging added for invalid dimensions and pen positions for easier debugging.

Impact:

• Prevents out-of-bounds memory access.
• Ensures decoder robustness against malformed streams.

Testing:

• Verified windows exceeding CCX_DTVCC_MAX_ROWS/COLUMNS are rejected.
• Verified pen positions outside valid bounds are ignored safely.
• Confirmed normal streams continue to work correctly with no regression.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/1962 **Author:** [@THE-Amrit-mahto-05](https://github.com/THE-Amrit-mahto-05) **Created:** 1/2/2026 **Status:** ❌ Closed **Base:** `master` ← **Head:** `fix/dtvcc-structural-oob` --- ### 📝 Commits (2) - [`5dc8292`](https://github.com/CCExtractor/ccextractor/commit/5dc8292dd22c5fc523b2d11a69990ab8e4b23112) Fix out-of-bounds read in H.264 SEI parsing - [`82109e6`](https://github.com/CCExtractor/ccextractor/commit/82109e6cd9c16c558868de8f75f299eade0cad70) Fix DTVCC structural type confusion and OOB writes (#1961) ### 📊 Changes **2 files changed** (+46 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `src/lib_ccx/avc_functions.c` (+8 -2) 📝 `src/lib_ccx/ccx_decoders_708.c` (+38 -0) </details> ### 📄 Description <!-- Please prefix your pull request with one of the following: **[FEATURE]** **[FIX]** **[IMPROVEMENT]**. --> **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- **Title:** `[FIX] DTVCC: Structural type confusion / OOB writes (#1961)` **Description:** This PR addresses a critical structural type confusion and out-of-bounds (OOB) write in the DTVCC (CEA-708) decoder. **Issue:** #1961 **Problem:** Malformed or malicious CEA-708 streams could define windows with row/column counts exceeding the maximums. This could lead to: - Heap buffer over-reads - Reading struct members as pointers (information leak) - Overwriting TV screen metadata - Undefined behavior during caption extraction **Fix implemented:** - Added bounds checks for `row_count` and `col_count` in `dtvcc_handle_DFx_DefineWindow`. - Added safety checks for `pen_row` and `pen_column` in `dtvcc_process_character` and `dtvcc_handle_SPL_SetPenLocation`. - Added invariant check in `dtvcc_window_copy_to_screen` to reject windows exceeding maximum dimensions. - Logging added for invalid dimensions and pen positions for easier debugging. **Impact:** - Prevents out-of-bounds memory access. - Ensures decoder robustness against malformed streams. **Testing:** - Verified windows exceeding `CCX_DTVCC_MAX_ROWS/COLUMNS` are rejected. - Verified pen positions outside valid bounds are ignored safely. - Confirmed normal streams continue to work correctly with no regression. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

claunia added the pull-request label 2026-01-29 17:23:47 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#2761